mirror of
https://github.com/mindoc-org/mindoc.git
synced 2025-09-19 01:58:00 +08:00
perf:过滤内容中的非法字符,增强安全性
This commit is contained in:
lifei6671
@@ -84,6 +84,7 @@ func (c *BookController) Dashboard() {
|
||||
c.Abort("403")
|
||||
}
|
||||
c.Abort("500")
|
||||
return
|
||||
}
|
||||
|
||||
c.Data["Description"] = template.HTML(blackfriday.Run([]byte(book.Description)))
|
||||
@@ -110,6 +111,7 @@ func (c *BookController) Setting() {
|
||||
c.Abort("403")
|
||||
}
|
||||
c.Abort("500")
|
||||
return
|
||||
}
|
||||
//如果不是创始人也不是管理员则不能操作
|
||||
if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
|
||||
@@ -231,6 +233,7 @@ func (c *BookController) PrivatelyOwned() {
|
||||
|
||||
if err != nil {
|
||||
c.JsonResult(6001, err.Error())
|
||||
return
|
||||
}
|
||||
//只有创始人才能变更私有状态
|
||||
if bookResult.RoleId != conf.BookFounder {
|
||||
@@ -241,6 +244,7 @@ func (c *BookController) PrivatelyOwned() {
|
||||
|
||||
if err != nil {
|
||||
c.JsonResult(6005, "项目不存在")
|
||||
return
|
||||
}
|
||||
book.PrivatelyOwned = state
|
||||
|
||||
@@ -278,6 +282,7 @@ func (c *BookController) Transfer() {
|
||||
|
||||
if err != nil {
|
||||
c.JsonResult(6001, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
err = models.NewRelationship().Transfer(bookResult.BookId, c.Member.MemberId, member.MemberId)
|
||||
@@ -296,6 +301,7 @@ func (c *BookController) UploadCover() {
|
||||
|
||||
if err != nil {
|
||||
c.JsonResult(6001, err.Error())
|
||||
return
|
||||
}
|
||||
book, err := models.NewBook().Find(bookResult.BookId)
|
||||
|
||||
@@ -309,6 +315,7 @@ func (c *BookController) UploadCover() {
|
||||
if err != nil {
|
||||
logs.Error("获取上传文件失败 ->", err.Error())
|
||||
c.JsonResult(500, "读取文件异常")
|
||||
return
|
||||
}
|
||||
defer file.Close()
|
||||
|
||||
@@ -405,6 +412,7 @@ func (c *BookController) Users() {
|
||||
c.Abort("403")
|
||||
}
|
||||
c.Abort("500")
|
||||
return
|
||||
}
|
||||
//如果不是创始人也不是管理员则不能操作
|
||||
if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
|
||||
@@ -692,6 +700,7 @@ func (c *BookController) Delete() {
|
||||
|
||||
if err != nil {
|
||||
c.JsonResult(6001, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if bookResult.RoleId != conf.BookFounder {
|
||||
@@ -721,7 +730,9 @@ func (c *BookController) Release() {
|
||||
if c.Member.IsAdministrator() {
|
||||
book, err := models.NewBook().FindByFieldFirst("identify", identify)
|
||||
if err != nil {
|
||||
|
||||
beego.Error("发布文档失败 ->", err)
|
||||
c.JsonResult(6003, "文档不存在")
|
||||
return
|
||||
}
|
||||
bookId = book.BookId
|
||||
} else {
|
||||
@@ -747,7 +758,7 @@ func (c *BookController) Release() {
|
||||
|
||||
//当文档发布后,需要删除已缓存的转换项目
|
||||
outputPath := filepath.Join(conf.GetExportOutputPath(), strconv.Itoa(bookId))
|
||||
os.RemoveAll(outputPath)
|
||||
_ = os.RemoveAll(outputPath)
|
||||
|
||||
}(identify)
|
||||
|
||||
@@ -763,13 +774,14 @@ func (c *BookController) SaveSort() {
|
||||
c.Abort("404")
|
||||
}
|
||||
|
||||
book_id := 0
|
||||
bookId := 0
|
||||
if c.Member.IsAdministrator() {
|
||||
book, err := models.NewBook().FindByFieldFirst("identify", identify)
|
||||
if err != nil {
|
||||
|
||||
if err != nil || book == nil {
|
||||
c.JsonResult(6001,"项目不存在")
|
||||
return
|
||||
}
|
||||
book_id = book.BookId
|
||||
bookId = book.BookId
|
||||
} else {
|
||||
bookResult, err := models.NewBookResult().FindByIdentify(identify, c.Member.MemberId)
|
||||
if err != nil {
|
||||
@@ -780,7 +792,7 @@ func (c *BookController) SaveSort() {
|
||||
if bookResult.RoleId == conf.BookObserver {
|
||||
c.JsonResult(6002, "项目不存在或权限不足")
|
||||
}
|
||||
book_id = bookResult.BookId
|
||||
bookId = bookResult.BookId
|
||||
}
|
||||
|
||||
content := c.Ctx.Input.RequestBody
|
||||
@@ -795,13 +807,13 @@ func (c *BookController) SaveSort() {
|
||||
}
|
||||
|
||||
for _, item := range docs {
|
||||
if doc_id, ok := item["id"].(float64); ok {
|
||||
doc, err := models.NewDocument().Find(int(doc_id))
|
||||
if docId, ok := item["id"].(float64); ok {
|
||||
doc, err := models.NewDocument().Find(int(docId))
|
||||
if err != nil {
|
||||
beego.Error(err)
|
||||
continue
|
||||
}
|
||||
if doc.BookId != book_id {
|
||||
if doc.BookId != bookId {
|
||||
logs.Info("%s", "权限错误")
|
||||
continue
|
||||
}
|
||||
@@ -810,18 +822,18 @@ func (c *BookController) SaveSort() {
|
||||
beego.Info("排序数字转换失败 => ", item)
|
||||
continue
|
||||
}
|
||||
parent_id, ok := item["parent"].(float64)
|
||||
parentId, ok := item["parent"].(float64)
|
||||
if !ok {
|
||||
beego.Info("父分类转换失败 => ", item)
|
||||
continue
|
||||
}
|
||||
if parent_id > 0 {
|
||||
if parent, err := models.NewDocument().Find(int(parent_id)); err != nil || parent.BookId != book_id {
|
||||
if parentId > 0 {
|
||||
if parent, err := models.NewDocument().Find(int(parentId)); err != nil || parent.BookId != bookId {
|
||||
continue
|
||||
}
|
||||
}
|
||||
doc.OrderSort = int(sort)
|
||||
doc.ParentId = int(parent_id)
|
||||
doc.ParentId = int(parentId)
|
||||
if err := doc.InsertOrUpdate(); err != nil {
|
||||
fmt.Printf("%s", err.Error())
|
||||
beego.Error(err)
|
||||
@@ -846,11 +858,12 @@ func (c *BookController) Team() {
|
||||
}
|
||||
|
||||
book, err := models.NewBookResult().FindByIdentify(key, c.Member.MemberId)
|
||||
if err != nil {
|
||||
if err != nil || book == nil {
|
||||
if err == models.ErrPermissionDenied {
|
||||
c.ShowErrorPage(403, "权限不足")
|
||||
}
|
||||
c.ShowErrorPage(500, "系统错误")
|
||||
return
|
||||
}
|
||||
//如果不是创始人也不是管理员则不能操作
|
||||
if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
|
||||
@@ -884,6 +897,7 @@ func (c *BookController) TeamAdd() {
|
||||
|
||||
if err != nil {
|
||||
c.JsonResult(500, err.Error())
|
||||
return
|
||||
}
|
||||
//如果不是创始人也不是管理员则不能操作
|
||||
if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
|
||||
@@ -905,6 +919,7 @@ func (c *BookController) TeamAdd() {
|
||||
err = teamRel.Save()
|
||||
if err != nil {
|
||||
c.JsonResult(5004, "加入项目失败")
|
||||
return
|
||||
}
|
||||
teamRel.Include()
|
||||
|
||||
@@ -924,6 +939,7 @@ func (c *BookController) TeamDelete() {
|
||||
|
||||
if err != nil {
|
||||
c.JsonResult(5002, err.Error())
|
||||
return
|
||||
}
|
||||
//如果不是创始人也不是管理员则不能操作
|
||||
if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
|
||||
|
||||
@@ -2,30 +2,30 @@ package controllers
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"html/template"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
"net/url"
|
||||
"image/png"
|
||||
"fmt"
|
||||
"github.com/astaxie/beego"
|
||||
"github.com/astaxie/beego/logs"
|
||||
"github.com/astaxie/beego/orm"
|
||||
"github.com/boombuler/barcode"
|
||||
"github.com/boombuler/barcode/qr"
|
||||
"github.com/lifei6671/mindoc/conf"
|
||||
"github.com/lifei6671/mindoc/models"
|
||||
"github.com/lifei6671/mindoc/utils"
|
||||
"github.com/lifei6671/mindoc/utils/pagination"
|
||||
"gopkg.in/russross/blackfriday.v2"
|
||||
"github.com/lifei6671/mindoc/utils/cryptil"
|
||||
"github.com/lifei6671/mindoc/utils/filetil"
|
||||
"github.com/lifei6671/mindoc/utils/gopool"
|
||||
"github.com/astaxie/beego/logs"
|
||||
"github.com/lifei6671/mindoc/utils/pagination"
|
||||
"gopkg.in/russross/blackfriday.v2"
|
||||
"html/template"
|
||||
"image/png"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
// DocumentController struct
|
||||
@@ -113,19 +113,21 @@ func (c *DocumentController) Read() {
|
||||
|
||||
if docId, err := strconv.Atoi(id); err == nil {
|
||||
doc, err = doc.FromCacheById(docId)
|
||||
if err != nil {
|
||||
if err != nil || doc == nil {
|
||||
beego.Error("从缓存中读取文档时失败 ->", err)
|
||||
c.ShowErrorPage(404, "文档不存在或已删除")
|
||||
return
|
||||
}
|
||||
} else {
|
||||
doc, err = doc.FromCacheByIdentify(id, bookResult.BookId)
|
||||
if err != nil {
|
||||
if err != nil || doc == nil {
|
||||
if err == orm.ErrNoRows {
|
||||
c.ShowErrorPage(404, "文档不存在或已删除")
|
||||
} else {
|
||||
beego.Error("从缓存查询文档时出错 ->", err)
|
||||
c.ShowErrorPage(500, "未知异常")
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
@@ -195,7 +197,7 @@ func (c *DocumentController) Edit() {
|
||||
bookResult, err = models.NewBookResult().FindByIdentify(identify, c.Member.MemberId)
|
||||
|
||||
if err != nil {
|
||||
if err == orm.ErrNoRows || err == models.ErrPermissionDenied{
|
||||
if err == orm.ErrNoRows || err == models.ErrPermissionDenied {
|
||||
c.ShowErrorPage(403, "项目不存在或没有权限")
|
||||
} else {
|
||||
beego.Error("查询项目时出错 -> ", err)
|
||||
@@ -341,11 +343,12 @@ func (c *DocumentController) Upload() {
|
||||
name := "editormd-file-file"
|
||||
|
||||
file, moreFile, err := c.GetFile(name)
|
||||
if err == http.ErrMissingFile {
|
||||
if err == http.ErrMissingFile || moreFile == nil {
|
||||
name = "editormd-image-file"
|
||||
file, moreFile, err = c.GetFile(name)
|
||||
if err == http.ErrMissingFile {
|
||||
if err == http.ErrMissingFile || moreFile == nil {
|
||||
c.JsonResult(6003, "没有发现需要上传的文件")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
@@ -427,7 +430,7 @@ func (c *DocumentController) Upload() {
|
||||
|
||||
path := filepath.Dir(filePath)
|
||||
|
||||
os.MkdirAll(path, os.ModePerm)
|
||||
_ = os.MkdirAll(path, os.ModePerm)
|
||||
|
||||
err = c.SaveToFile(name, filePath)
|
||||
|
||||
@@ -452,7 +455,6 @@ func (c *DocumentController) Upload() {
|
||||
attachment.DocumentId = docId
|
||||
}
|
||||
|
||||
|
||||
if filetil.IsImageExt(moreFile.Filename) {
|
||||
attachment.HttpPath = "/" + strings.Replace(strings.TrimPrefix(filePath, conf.WorkingDirectory), "\\", "/", -1)
|
||||
if strings.HasPrefix(attachment.HttpPath, "//") {
|
||||
@@ -675,8 +677,9 @@ func (c *DocumentController) Content() {
|
||||
// 如果是超级管理员,则忽略权限
|
||||
if c.Member.IsAdministrator() {
|
||||
book, err := models.NewBook().FindByFieldFirst("identify", identify)
|
||||
if err != nil {
|
||||
if err != nil || book == nil {
|
||||
c.JsonResult(6002, "项目不存在或权限不足")
|
||||
return
|
||||
}
|
||||
|
||||
bookId = book.BookId
|
||||
@@ -705,8 +708,9 @@ func (c *DocumentController) Content() {
|
||||
|
||||
doc, err := models.NewDocument().Find(docId)
|
||||
|
||||
if err != nil {
|
||||
if err != nil || doc == nil {
|
||||
c.JsonResult(6003, "读取文档错误")
|
||||
return
|
||||
}
|
||||
|
||||
if doc.BookId != bookId {
|
||||
@@ -781,25 +785,7 @@ func (c *DocumentController) Content() {
|
||||
c.JsonResult(0, "ok", doc)
|
||||
}
|
||||
|
||||
//
|
||||
//func (c *DocumentController) GetDocumentById(id string) (doc *models.Document, err error) {
|
||||
// doc = models.NewDocument()
|
||||
// if doc_id, err := strconv.Atoi(id); err == nil {
|
||||
// doc, err = doc.Find(doc_id)
|
||||
// if err != nil {
|
||||
// return nil, err
|
||||
// }
|
||||
// } else {
|
||||
// doc, err = doc.FindByFieldFirst("identify", id)
|
||||
// if err != nil {
|
||||
// return nil, err
|
||||
// }
|
||||
// }
|
||||
//
|
||||
// return doc, nil
|
||||
//}
|
||||
|
||||
// 导出
|
||||
// Export 导出
|
||||
func (c *DocumentController) Export() {
|
||||
c.Prepare()
|
||||
|
||||
@@ -1201,8 +1187,9 @@ func (c *DocumentController) Compare() {
|
||||
}
|
||||
|
||||
doc, err := models.NewDocument().Find(history.DocumentId)
|
||||
if doc.BookId != bookId {
|
||||
c.ShowErrorPage(60002, "参数错误")
|
||||
if err != nil || doc == nil || doc.BookId != bookId {
|
||||
c.ShowErrorPage(60002, "文档不存在或已删除")
|
||||
return
|
||||
}
|
||||
|
||||
c.Data["HistoryId"] = historyId
|
||||
@@ -1238,7 +1225,7 @@ func (c *DocumentController) isReadable(identify, token string) *models.BookResu
|
||||
}
|
||||
// 如果文档是私有的
|
||||
if book.PrivatelyOwned == 1 && (!c.isUserLoggedIn() || !c.Member.IsAdministrator()) {
|
||||
if s,ok := c.GetSession(identify).(string); !ok || (!strings.EqualFold(s,book.PrivateToken) && !strings.EqualFold(s,book.BookPassword)) {
|
||||
if s, ok := c.GetSession(identify).(string); !ok || (!strings.EqualFold(s, book.PrivateToken) && !strings.EqualFold(s, book.BookPassword)) {
|
||||
|
||||
if book.PrivateToken != "" && !isOk && token != "" {
|
||||
// 如果有访问的 Token,并且该项目设置了访问 Token,并且和用户提供的相匹配,则记录到 Session 中。
|
||||
|
||||
Reference in New Issue
Block a user